October 2007 Archives

I've always stressed the importance of strong visual images in security programmes and awareness campaigns. It's surprising how much leverage a strong, well-thought-through image can generate. Professional advice helps. In the past I've hired award-winning ex Saathchi & Saathchi creative teams to help design themes, images and straplines. And I once hired Judith Hann of Tomorrow's World to help create a forward-looking image for a new security function.

So I can only admire the enterprise that prompted the CIA to adopt it's latest terrorist-buster logo. It certainly creates an impact. Any suggestions on a suitable hacker-buster version?

They say that a week is a long time in politics. But changing public sector strategy can take a lifetime. So it’s unrealistic to expect civil servants to turn on a sixpence and immediately revise budgets and scorecards to implement the recommendations of a single study. It takes a bit more effort than that. So I was a little surprised by the reaction of Richard Clayton, a researcher from Cambridge University, to the rather inadequate Government response to the House of Lords Science and Technology Committee’s recent recommendations on personal Internet security.

Richard’s posting on the Cambridge University Security Research blog accuses the Government of being stupid or ignorant because they did not immediately implement his recommendations. Welcome to the reality of politics and business. Change cannot be achieved through good ideas alone. It requires convincing evidence, a sound business case and patient lobbying. And when you don’t get your own way, the smart response is to refine your arguments, not criticise the decision makers.

Cyberspace has an unusual effect on our perception of acceptable behaviour. For example there’s a phenomenon researchers term “the disinhibition effect” that encourages Internet users to behave in ways they wouldn’t dare contemplate in real life. There’s also an unfortunate tendency to glamorize hi-tech crime, to the extent that a successful hacker or fraudster can make a fine living out of security consultancy and appearance fees. So it was no surprise to find Frank Abagnale, a one-time convicted fraudster, giving a keynote address at last week’s RSA Conference in London, which boasts “keynotes delivered by the industry’s most respected leaders and innovators”. It’s a sign of the times.

The art of crisis management is to think forwards and aim to stay ahead of the media, anticipating negative coverage and taking steps to mitigate reputation damage. That’s why it pays to be honest about facts that might emerge at some future stage, and to have prepared responses for any anticipated speculation or spin by other stakeholders.

So I was a surprised to read in the Boston Globe that a group of banks are claiming that 94 million accounts (more than twice the original estimate) were affected in the theft of personal data from TJ Maxx. That’s a staggering number, suggesting a much higher potential loss than previously estimated. It will no doubt generate a new wave of damaging publicity, despite the fact that the company seemed to have successfully drawn a line under the incident without suffering any serious impact on sales.

The key learning point is that, when in a crisis, avoid leaving room for future, sensational claims or speculation that might undermine your hard work in rebuilding your reputation. In particular, pay attention to the second rule of holes: if you’re in one, stop digging.

The cold, windy Docklands setting was an appropriate backdrop for the RSA Conference in London this week. There was little new, hot or entertaining on show. But, like Infosecurity, it’s a useful opportunity to network and assess trends in the vendor marketplace. In particular I was interested to meet Steve Hanna of Juniper who co-chairs the Trusted Computing Group, an organisation with a high-profile presence at this year’s conference and exhibition.

For some years TCG has been quietly establishing the standards to enable platform vendors to incorporate the trusted mechanisms to support data encryption and device authentication. Some products have hit the streets, and many more are in the pipeline. TCG are also addressing mobile and wearable computing devices, offering a partial antidote to the risks presented by consumerisation of client devices. When will it all take off? According to Steve, 2008 will be the year when “the rubber hits the road”.

A new survey by Symantec suggests that more than nine out of ten UK organisations carry out full evaluations of their disaster recovery plans but almost half of the tests fail. Should we be surprised by these figures? Absolutely not. In fact the figures are quite encouraging. We must be making progress. Because I've encountered an awful lot of critical business processes without proper continuity plans. And where they do exist, they’re often incomplete, out of date and generally fail when tested.

Business continuity planning is a thankless, time-consuming and messy activity. It’s not an exact science. More of a painfully slow journey in progressively improving the disaster response process, with frequent setbacks when any restructuring or reengineering takes place. You can’t outsource the work to consultants because business managers have to manage the process, so they need to be fully engaged in all aspects of the work. That's assuming of course that they can be persuaded to set aside the time and budget to stay on top of developments.

And it’s not uncommon to discover that there simply is no viable fallback option, either because of limitations in infrastructure design or the sheer expense of a replacement facility. Of course it’s relatively easy to replace modern IT infrastructure, and that was probably the context of this survey. The hard bit is buildings, plants and people.

CNN’s web site has an interesting item on the nature of the foreign intelligence hacking threat to US interests. It reports Joel Brenner, National Counterintelligence Executive, as saying that it’s not accurate to blame only the Chinese Government for recent penetrations of government systems. The reality is that about 140 foreign intelligence organizations are trying to hack into US computer networks. They are too easy to hack and the number of world-class hackers is multiplying at bewildering speed.

Of course this is only to be expected. Hacking is cheap, fast and can be carried out remotely. And the necessary skills are becoming widespread. In just a couple of years time Nicholas Negroponte’s one laptop per child initiative will hopefully have issued millions of networked laptops to children across several developing countries. Fast-forward several years and even the smallest intelligence services will have access to unprecedented levels of computer skills. Today we’re just scratching the surface of the real potential for cyber espionage and information warfare. As Alvin Toffler pointed out many years ago, it might even dominate the 21st Century.

Perhaps the only item in doubt is the actual number of countries in the world, which, interestingly, can range anywhere from 189 to 266 depending on your source. But whichever number you accept, it represents a lot of competing national interests.

Yesterday I attended a Parliament and the Internet Conference at the House of Commons. It’s a great forum which brings together many leading UK stakeholders from Government, Parliament, Academia and Industry to debate key policy issues. Not surprisingly, the issues of cybercrime and governance were high on the agenda. I came away with three striking impressions.

Firstly I was impressed by the consensus view of the room that this is a complex, fast-changing set of issues that demands a collaborative and integrated approach. Neither a centralized or hands-off approach to governance will solve the problems. In particular, Industry, Government and Law Enforcement need to develop effective working relationships to tackle the issues.

Secondly I was pleased to see that Commander Sue Wilkinson is making excellent progress establishing a much-needed e-crime capability for the UK. I was disappointed by the loss of the National High Tech Crime Unit. It was a major setback. But now it looks like we’re back on track, and with a stronger mainstream focus.

Thirdly it was impossible not to be hugely impressed by Nicholas Negroponte, who flew in from the US to present his One Laptop per Child initiative. Nicholas and his brilliant colleagues at MIT Media Lab and TTI/Vanguard have kong been heavyweight thought-leaders and imaginative innovators. This initiative is the culmination of many years of experience in studying the impact of technology on education. The aim is to distribute low-cost laptops to children across the world. It’s a powerful initiative and a well designed product with many interesting features, including Alan Kay’s excellent Squeak programming language. It also has in-built security features, including a unique, high-profile appearance to deter theft. (That’s why US postal vehicles don’t get stolen.) This initiative will have a huge impact on the world, and on security. It deserves our full support.

Benjamin Wright's comments on the ill-fated California AB 7799 Bill raise an important criticism about emerging compliance demands: they're getting too prescriptive. This was a trend I pointed out last year. It's because too many inexperienced standards-setters are now driving the agenda. The PCI Security Standard was an early indication of this trend. It's typical of a standard drafted by industry specialists, not experienced regulators or standards professionals.

Experienced regulators and seasoned standards writers tend to avoid solution-focused requirements. Regulators strive to maintain a level playing field, and you can't do that if you prescribe a solution based on the practices of individual organisations. Standards professionals also recognise that prescriptive solutions restrict innovation and don't stand the test of time. Unfortunately these considerations are not widely appreciated. And we don't have training courses for standards writers. But the stakes are getting higher. We need more standards for standards. Physician heal thyself.

Last weekend California Governor Arnold Schwarzenegger vetoed legislation to make merchants financially liable for costs due to retail data breaches. No doubt this was a huge relief to banks and retailers operating on the West Coast. But they shouldn’t allow themselves to be fooled into a false sense of security. Because the underpinning trend is for the compliance bandwagon to continue to gain strength.

When rejecting the AB 799 bill, Arnie is quoted as saying “it attempts to legislate in an area where the marketplace has already assigned responsibilities and liabilities”. That might well be the case but the track record has been that, in the absence of tough legislation, few organisations pay enough attention to the protection of customer data. And the legislation had plenty of political support, having been approved by the State Assembly and Senate with overwhelming majorities.

It’s in line with my forecast last year of a growing backlash to tougher compliance demands. Expect the occasional glitch, but the compliance bandwagon is relentless. And for those of you who think that California is a long way from your business operations, it’s worth noting that, since pioneered the controversial data security breach disclosure law, SB 1386, nearly 40 other states have followed suit. Tougher legislation is coming everyone's way.

A few days ago Symantec reported a Word exploit in the wild just one day after Microsoft released the patch for the corresponding vulnerability. Rather unusually it was created using Word for Macintosh. Yet just a few months back McAfee claimed that “Exploit Wednesday” was a myth, pointing out that hackers simply don’t stockpile exploits waiting for the release of a patch. Perhaps they do. Or perhaps vendors have taken to stockpiling announcements.

But arguing about the current motives and habits of hackers is beside the point. The threat changes all the time. It can go up or down in any month The real trend to note is that our exposure continues to get worse. Exploits are increasingly likely to strike before you get a roll out your patches. And the consequence is that we need to tighten up security around critical applications and infrastructure. Baseline security measures are no longer sufficient to protect valuable corporate assets. Organisations must identify, prioritise and place additional layers of security around their Crown Jewels. Because corporate infrastructures are becoming as open to attacks as the Internet itself.

The blog postings have been a bit thin these past few days as I’ve been head-down, writing up a lengthy feasibility study report on the potential for analysing security behavior in digital communications. It might sound very ambitious, but there’s a lot of interesting things you can do to detect various forms of behaviour and misuse. And there’s a surprising breadth and depth of prior research in this area. Remember that IDS technology has been around for more than a decade and anti-malware scanning for twice as long. Unfortunately the trickle of innovative products in this area has not kept pace with the potential being mapped out by blue sky researchers. So you can’t yet exploit the most promising techniques.

So what can you find from communications analysis? Quite a bit if you put your mind to capturing, analysing, profiling, mining and fusing message content, traffic patterns and IT activity. And even more if you apply modern visualisation techniques to high-speed graphical user interfaces. Psychological and linguistic profiling is still in its infancy but it offers huge potential for the future. Data fusion and mining have already achieved many spectacular successes. And neural networks are an established tool in the fraud detection armoury.

Privacy is clearly an overriding issue, but effective security solutions exist or can be conceived to contain the risks for many applications. Ignorance of privacy considerations is a bigger problem, as demonstrated by the recent decision by US Homeland Security to scrap an ambitious $42 million anti-terrorism data-mining tool after investigators found it was being tested with information about real people without adequate privacy safeguards. Of course it might sound like Big Brother, perhaps something to be resisted. But you can’t reinvent the science behind digital communications analysis. The best approach is to take it forward and develop the necessary safeguards.

It’s comforting to read those security threat level indicators that inform us that the threat from malware attacks is currently low. Unfortunately there are blind spots in early warning systems. They’re based on intelligence rather than real intent. The reality is that we don’t know when a big attack is likely to strike. It could be tomorrow or might be next year. It’s easy for users to become complacent about threats when newspapers aren’t carrying scare stories. But the indications are that something big might be brewing in the pipeline. And we aren’t doing anywhere near enough to educate our users and customers.

For those of you who haven’t been tracking the steady progress of the Storm worm, I’d recommend reading Bruce Schneier's recent analysis in Wired. It’s claimed that up to 50 million PCs might have already been infected by this agile piece of malware, perhaps making it more powerful than the world’s fastest supercomputers. And we don’t know who’s behind it or what they are planning - unless we get lucky and they get caught. Storm is a glimpse of the future of malware. It’s dangerous and difficult to stop. Education is the key to reducing our exposure. So with Christmas looming and a flood of e-Cards and mail shots about to hit everyone’s in-trays, it’s time to raise those security awareness levels.

Earlier this week I attended a British Computer Society event “Public health - private data?” hosted jointly by the BCS Health Informatics Forum and the BCS Security Forum. This is not a new issue. Privacy advocates have long been banging the drum about this issue. The media has covered it extensively. And most British taxpayers are aware that the Government is investing billions of pounds in new infrastructure to enable their medical records to be more readily accessible. But I came away with the impression that we are only just commencing the much-needed debate on the ethics, requirements and solutions associated with safeguarding the privacy of patient records.

The first thing that struck me was that two BCS groups of professionals had decided to join forces to discuss these issues. (A third one, the Ethics forum, is also connected.) This is unprecedented in my experience. The second thing I noticed was the high degree of consensus amongst those present on many of the key issues. That's also unusual. But the most striking impression of all was the sheer difficulty of the problem space created by the change from storing unique copies of paper records in local cubby-holes to downloading electronic images from joined-up broadband networks. The problems generated are serious and hard to resolve. Given enough cash, we can solve the technical ones, though they do require a few well-overdue developments in identity managements. The real issue is developing and implementing an acceptable set of rules governing just who can see what, as well as under what circumstances they can be overridden.

It's the type of problem that some academics might classify as a “wicked problem”. Full of incomplete, contradictory and changing requirements. Such problems, like terrorism, are often found in areas associated with public policy. They don’t have clear-cut answers. What’s needed is an effective public debate. That’s not yet happened. But when I see healthcare, security and ethics professionals joining forces to discuss these issues, I feel a little bit more confident that we’re making some progress towards that goal.

Message Labs latest intelligence report shows a sharp increase in viruses, spam and email threats, which now stand at record levels. Over one in fifty emails now contains malware, generally through a link to a site that installs it when opened. More than one in ninety mails contains a phishing attack. And viruses have doubled since the Spring to levels not seen for 18 months.

A major factor behind the increases is the Storm botnet, which created a fair amount of havoc in August. But it all demonstrates the unexpected nature of today’s threats. They can grow rapidly and decrease just as fast. Statistics provide little indication of future levels of activity. So business cases for new defensive measure should not be built on historical incident levels alone. Security functions need to be agile, always prepared for a steep rise in threats. With Christmas approaching it's a timely reminder for everyone to sharpen up their incident response.